Avoiding health data breaches: A comprehensive security plan

Not only have the threats increased for healthcare organizations, but so have the government fines as well. One-time violations stay under $50,000, but repeat violations within the same year can carry a fine of $1.5 million across all HIPAA violation categories (up substantially from the previous $250K minimum). The average economic impact of a data breach has also increased by $400K to a total of $2.4 million since 2010. Investigation and legal efforts, business downtime and decreased credibility all drive up costs beyond those of fines.

For example, Blue Cross Blue Shield of Tennessee agreed to pay the Department of Health and Human Services (HHS)—$1.5 million to settle potential HIPAA violations back in March of 2012. In this case, 57 unencrypted computer hard drives were stolen that contained protected health information (PHI) for more than 1 million individuals. This fine was less than 10% of the true cost of the incident, as the organization spent more than $17 million in corrective actions.

In a more recent case, a class-action lawsuit was filed in April 2013 against Adventist Health System/Sunbelt, Inc., alleging it violated patient privacy by failing to prevent emergency room workers from selling access to the healthcare organizations’ medical records databases. Court paperwork filed alleges that beginning in 2009, outside vendors—including lawyer referral services and chiropractors—paid emergency room personnel to comb through hospital records of patients to later solicit services. (This suit was later dismissed.)

No matter how big or small, healthcare organizations are facing greater challenges with protecting the personal data of their patients. To properly protect your organization, you must have a plan that addresses all three threat vectors: Lost (or stolen) hardware, internal misuse or even advanced adversaries (hackers). Given today’s threat levels and high costs associated with data loss, the question organizations face is, “What can we do to best protect ourselves?”

Managing threats

You will not be able to quickly identify and address today’s threats without the proper tools in place. The three main threats of data loss are lost (or stolen) equipment, internal misuse (either intentional or unintentional), or advanced threats due to hacking. Each of the three threats mentioned above (data loss or theft, internal misuse or advanced hackers) requires a unique set of technologies and processes to address them:

Data loss due to misplaced or stolen devices: The best way to combat this type of threat is encryption. Blue Cross Blue Shield of Tennessee did not use encryption on the 57 hard drives that were stolen and, as a result, it cost them more than $17 million in fines and remediation efforts. Encrypting hard drives is wise, but what are you doing about USB sticks and mobile devices? Today’s USB flash drive devices can hold upwards of 128Gb of data. Policies need to be put in place to either restrict access to USB devices or to ensure that encryption is done on data sent to them. Data loss prevention (DLP) software can help in this effort by allowing your end users access to USB but can detect sensitive data and encrypt it—prior to being copied to USB.

Internal misuse: DLP software is also critical for ensuring sensitive data does not leave the environment. In the case of Adventist Health Systems, it is alleged that internal employees were paid to send emergency room records to outside vendors, such as lawyer referral services and chiropractors. An example of unintentional misuse can be found in my personal experience. During a proof of concept I worked on, we noticed sensitive data being sent from corporate email addresses to personal email accounts between the hours of 4 and 6 p.m. These same documents were then coming back into the environment between 8 and 11 p.m., from their personal emails to their corporate emails.

Upon investigation, the client found that employees were doing this to avoid having to virtual private network (VPN) into the environment. Their intentions were good, trying to get work done at home, but this was clearly a misuse of sensitive data. DLP software can be leveraged to help protect against both intentional and unintentional misuse of data. It can be configured to monitor various types of user actions, such as sending data via email, uploading it to a website, copying it to a USB stick, sending via instant message or even printing.

After the data is detected, actions can be taken, such as auditing, blocking, encrypting, or forcing the user to justify their actions. With endpoint agents installed on laptops, protections can even be applied when users are offsite with their laptops. Another key feature of DLP software is the ability to scan data at rest, such files that reside on a laptop. Very often, users may have saved sensitive data to their hard drives and forgotten that it’s there. If the equipment is not disposed of properly, these data are then vulnerable to access if the drive is not encrypted.

Advanced hacking threats: Of the 571 incidents officially listed on the HHS breach tool, 46 of these were specifically attributed to some sort of hacking. The healthcare sector was specifically mentioned in the Verizon Breach Report of 2012 (although less than other sectors). The Ponemon Institute Survey on Patient Privacy also indicates that a major challenge for IT security is the increase in criminal attacks, which increased from 20 percent in 2010 to 33 percent in 2012.

The traditional “defense in depth” approach to protecting healthcare organizations is not working. More advanced tools and processes need to be in place to better identify and monitor these advanced attacks. Full packet capture tools fused with external threat intelligence can help identify attacks as they occur on the network in real time. These tools can help you better detect possible malicious activity on your network and remediate it before data loss occurs. Another problem with advanced threats is that the malware used often goes undetected by traditional anti-virus programs. Organizations must strongly consider advanced malware detection tools beyond that of traditional anti-virus. Advanced malware analytic tools on the market today can better identify the likelihood that a file or system is infected.

Matthew Paster is a Senior Technology Consultant at RSA, The Security Division of EMC. Paster consults with enterprise clients to help them find solutions to their most challenging security needs. This includes supporting a suite of security solutions which include authentication, identity assurance and access control, data loss prevention (DLP), security information and event management (SIEM), deep packet inspection, network monitoring and analysis, encryption, tokenization and key management, governance, risk and compliance (GRC) and fraud prevention. He had previously served as a Technology Security Solutions Professional for Microsoft.

Part of the problem is that organizations do not have a robust risk framework to measure risk. Where should funds be spent and where should compensating controls suffice. What is my risk appetite. Additionally, who has access to what? If entitlements are not diligently managed and “bad” entitlements removed, the “candy store is open”. Also the Verizon Data Breach report goes on to mention that organizations have too many copies of data in their environments that do not all have the same level of security. A robust Data Masking (aka Data De-Identification) product can make this data worthless to hackers and harmless if accidentally exposed.

HealthIT Security Newsletter

Join 30,000 of your peers and stay up to date on HIPAA, BYOD and IT Security.